From 6a9958d504853efa4e36900398490afe05a1134c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Thu, 17 Apr 2025 21:08:11 +0200 Subject: [PATCH] libselinux: prioritize local literal fcontext definitions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Content-type: text/plain For literal file context definitions respect overrides from homedirs or local configurations by ordering them first. Fixes: 92306daf ("libselinux: rework selabel_file(5) database") Reported-by: Paul Holzinger Link: https://bugzilla.redhat.com/show_bug.cgi?id=2360183 Signed-off-by: Christian Göttsche --- libselinux/src/label_file.c | 5 +++-- libselinux/src/label_file.h | 10 +++++++++- libselinux/src/selinux_internal.h | 2 ++ 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index 2c7615174e5f..d1d1d01c769f 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -480,7 +480,7 @@ static int load_mmap_ctxarray(struct mmap_area *mmap_area, const char *path, str return 0; } -static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating, +static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating, uint8_t inputno, struct literal_spec *lspec, const struct context_array *ctx_array) { uint32_t data_u32, ctx_id; @@ -489,6 +489,7 @@ static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating, int rc; lspec->from_mmap = true; + lspec->inputno = inputno; /* @@ -732,7 +733,7 @@ static int load_mmap_spec_node(struct mmap_area *mmap_area, const char *path, bo node->literal_specs_alloc = lspec_num; for (uint32_t i = 0; i < lspec_num; i++) { - rc = load_mmap_literal_spec(mmap_area, validating, &node->literal_specs[i], ctx_array); + rc = load_mmap_literal_spec(mmap_area, validating, inputno, &node->literal_specs[i], ctx_array); if (rc) return -1; } diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h index 60ebbb472dda..eb7239719a85 100644 --- a/libselinux/src/label_file.h +++ b/libselinux/src/label_file.h @@ -96,6 +96,7 @@ struct literal_spec { char *regex_str; /* original regular expression string for diagnostics */ char *literal_match; /* simplified string from regular expression */ uint16_t prefix_len; /* length of fixed path prefix, i.e. length of the literal match */ + uint8_t inputno; /* Input number of source file */ uint8_t file_kind; /* file type */ bool any_matches; /* whether any pathname match */ bool from_mmap; /* whether this spec is from an mmap of the data */ @@ -368,7 +369,13 @@ static inline int compare_literal_spec(const void *p1, const void *p2) return ret; /* Order wildcard mode (0) last */ - return (l1->file_kind < l2->file_kind) - (l1->file_kind > l2->file_kind); + ret = spaceship_cmp(l1->file_kind, l2->file_kind); + if (ret) + return -ret; + + /* Order by input number (higher number means added later, means higher priority) */ + ret = spaceship_cmp(l1->inputno, l2->inputno); + return -ret; } static inline int compare_spec_node(const void *p1, const void *p2) @@ -746,6 +753,7 @@ static int insert_spec(const struct selabel_handle *rec, struct saved_data *data .regex_str = regex, .prefix_len = prefix_len, .literal_match = literal_regex, + .inputno = inputno, .file_kind = file_kind, .any_matches = false, .lr.ctx_raw = context, diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h index 964b84189649..3fe7d4c3953a 100644 --- a/libselinux/src/selinux_internal.h +++ b/libselinux/src/selinux_internal.h @@ -150,4 +150,6 @@ static inline void fclose_errno_safe(FILE *stream) # define unlikely(x) (x) #endif /* __GNUC__ */ +#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b))) + #endif /* SELINUX_INTERNAL_H_ */ -- 2.49.0